How secure is your digital system? The challenge of solving the unknown unknowns
Easier access to your trusted, local news. Have a look at our brand new digital subscription packages!
“As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know.
"But there are also unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.”
That was Donald Rumsfeld, former United States Secretary of Defense, on alleged links between the government of Iraq and the supply of weapons of mass destruction to terrorist groups, February 2002.
About five years ago, I was invited to attend a presentation by a commercial offshoot of the UK Ministry of Defence on a technology that had been developed for security purposes but was also recognised as having commercial benefits for the oil and gas industry.
The product was a distributed acoustic sensing cable that could be buried in the ground, pick up sounds and relay them back to a central station for interpretation. In the oil industry, running this cable down the side of casing could help identify potential weak spots or changes in the formation of the surrounding rock.
From a security perspective, laying it alongside an onshore pipe or road meant you could hear the vibrations of any vehicles that went along that road. You could hear the footsteps of people getting out of the vehicle and you could also hear if they were vandalising the pipe. Combining that with CCTV gave you an alarming picture of what was going on.
Imagine having such a cable around your house so you could hear if anyone was approaching from way up the street.
This technology impressed me. It seemed a sophisticated solution to dealing with the most advanced threat we knew of at the time. But, going back to Rumsfeld’s comment, it was a known threat in that it gave us prior warning of the crime before it was committed.
Rumsfeld got a fair bit of stick at the time, because what he said sounded like gobbledegook. But he was right. There are things we can’t respond to because, as yet, we don’t know they exist. The variety of cyber crimes falls into this category.
OK, cyber crime – a catch-all phrase for a variety of activities – is a real thing and we can do our best to mitigate the threats we know of. But what about the specific ones we don’t know about. How can we be ready for something that doesn’t exist, yet?
The impact of cyber crime in the energy industry was put into sharp focus at the beginning of May when, in the US, the Colonial Pipeline, the country’s largest fuel pipe carrying 2.5 million barrels a day from the Gulf Coast to the East Coast, was shut down by a ransomware cyber attack.
The pipe supplies 45 per cent of the East Coast’s diesel, gasoline and jet fuel. The shutdown was so significant it caused oil prices to rise. The US government had to issue emergency legislation to increase the movement of fuel by road.
A cyber criminal gang called DarkSide allegedly infiltrated Colonial’s computer system, took almost 100GB of data hostage and threatened to release it on the internet if ransom demands weren’t met.
While a major US pipeline was the target in this case, it could just as easily have happened to an asset in the UK.
Cyber crime is a very real threat to the energy industry and is on the rise. Research from cyber security and anti-virus provider Kaspersky revealed attacks on computers used in the oil and gas industry rose from 36 per cent to almost 38 per cent for the first half of 2020 compared to the same period in 2019.
The increased threat of cyber attacks on assets is a downside to the drive towards greater digitalisation – which is a result of the need for greater efficiencies in an industry impacted by constrained commodity prices. Lockdowns, working from home and a more widely spread workforce linked through the internet have exacerbated the problem.
The threat of cyber attacks has been a theme for industry gatherings for a few years now. However, while there is broad recognition of the challenges, it is understandable that very few companies are prepared to publicly admit they have been victims and share their experiences.
The international significance of the attack on the Colonial pipeline meant this was one case where publicity was unavoidable.
A reluctance to talk about actual crimes means the opportunities to share best practices from real life examples are limited. Industry responses to cyber attacks are therefore more often led by what might, rather than what did, happen. Because of this, the industry’s answer is inevitably a focus more on what we have to prepare for and less on making best use of the practical lessons that have been learned.
The perceived wealth of the energy industry, the nature of its operations and our dependence on it to sustain on our daily lives can make it an attractive target for ransomware attackers. But it’s not on its own. Across the industrial spectrum, cyber security is a major challenge and one that requires constant attention.
A better understanding of the risks for each sector can help support the allocation of resources to offset them. But we can only fight the threats we know about.
Those risks we can’t even imagine – the unknown unknowns – will always have the potential to blindside us. Will we ever be able to solve them?
- Andrew Bradshaw is head of energy insight at global corporate communications company Fifth Ring and is based at the company’s Inverness office. He is internationally recognised as one of the leading experts in energy public relations.